HITRUST builds GDPR into its data protection framework

The organization is broadening into a single assessment tool for varying regulations around the world.

HITRUST announced that it is expanding its framework to include the General Data Protection Regulation (GDPR) and the Singapore Personal Data Protection Act (PDPA) requirements and pulling them into what it described as a global 'one framework, one assessment' model.

WHY IT MATTERS

"As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex," says Anne Kimbol, chief privacy officer, HITRUST. "Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally."

THE BIGGER TREND

As providers and enterprises wrestle with the complexity of global compliance, the U.S. government is working on integrating risk management across all the aspects of a business.

In light of that, the National Institute of Standards and Technology posted its newest update to its Risk Management Framework last month. NIST’s Risk Management Framework 2.0 combined privacy, security and supply chain into one, we reported Dec. 21. RMF 2.0 includes seven objectives and adds a preparation step.

"RMF 2.0 is the first framework in the world to address security, privacy, and supply chain risk in an integrated manner — at the organization, mission/business process, and system levels," NIST Fellow Ron Ross wrote in a Twitter post.

WHAT'S NEXT FOR HITRUST?

In addition to the new ‘one framework, one assessment’ expansion in Europe and Asia, HITRUST officials also announced that the company has filed -- through its Irish subsidiaries -- a formal application with the European Union’s Data Protection Board and the Irish Data Protection Commission to have the HITRUST CSF officially recognized as a standard for GDPR certification.

HITRUST is also working with Irish authorities to become an accredited certification body for GDPR.

And HITRUST announced it is evaluating the process to be an Accountability Agent under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.
According to Bryan Cline, vice president of standards and analysis at HITRUST, "Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally."